Penetration Testing: Re: Firewall Scan

["SD List" <list () security-database com>]

Hi,

RFB is a part of VNC handshake !!
see more detail here http://www.tigervnc.org/cgi-bin/rfbproto

Cheers

N.OUCHN
Security-Database.com


> Hello Guys,
>
> I was doing a normal TCP Scan on port 5900, when I found a strange result:
>
> 1st I did a normal TCP scan with Nmap
>
> Onix:~# nmap -p 5900 x.x.x.x
>
> Starting Nmap 4.62 ( http://nmap.org ) at 2009-06-24 13:52 ART
> Interesting ports on x.x.x.x:
> PORT     STATE  SERVICE
> 5900/tcp closed vnc
>
> Nmap done: 1 IP address (1 host up) scanned in 0.361 seconds
>
> But.. if I use telnet/nc with this port, they can connect:
> Onix:~# telnet x.x.x.x 5900
> Trying x.x.x.x...
> Connected to x.x.x.x.
> Escape character is '^]'.
> RFB 003.003
>
> ^C
> What? I can connect..
> Ok, I will perform a more detailed scan:
>
> Onix:~# hping -S  -p 5900 x.x.x.x
> HPING 165.140.201.169 (eth1 x.x.x.x): S set, 40 headers + 0 data bytes
> len=46 ip=x.x.x.x ttl=56 id=16854 sport=5900 flags=RA seq=0 win=512
> rtt=2.6 ms
> ^C
> --- x.x.x.x hping statistic ---
> 1 packets transmitted, 1 packets received, 0% packet loss
> round-trip min/avg/max = 2.6/2.6/2.6 ms
>
> This host return an Reset/ACK, it should be ok if the port was closed,
> but I can connect with him.
>
> WINDOWS SCAN:
>
> Onix:~# nmap -sW -p 5900 x.x.x.x
>
> Starting Nmap 4.62 ( http://nmap.org ) at 2009-06-24 13:57 ART
> Interesting ports on x.x.x.x:
> PORT     STATE SERVICE
> 5900/tcp open  vnc
>
> Nmap done: 1 IP address (1 host up) scanned in 0.051 seconds
>
> Ok, I will look the TCP Windows:
> First I try to send a TCP Packet with WIN=1
>
> Onix:~# hping -S -w 1  -p 5900 x.x.x.x
> HPING 165.140.201.169 (eth1 x.x.x.x): S set, 40 headers + 0 data bytes
> len=46 ip=x.x.x.x ttl=56 id=23123 sport=5900 flags=RA seq=0 win=1 rtt=7.8
> ms
> ^C
> --- x.x.x.x hping statistic ---
> 1 packets transmitted, 1 packets received, 0% packet loss
> round-trip min/avg/max = 7.8/7.8/7.8 ms
>
> In the most cases, shouldn't this host respond with its suggestion of
> window's size??
>
> Then I sent the same with WIN=4096
>
> Onix:~# hping -S -w 4096  -p 5900 x.x.x.x
> HPING 165.140.201.169 (eth1 x.x.x.x): S set, 40 headers + 0 data bytes
> len=46 ip=x.x.x.x ttl=56 id=23123 sport=5900 flags=RA seq=0 win=1 rtt=7.8
> ms
> ^C
> --- x.x.x.x hping statistic ---
> 1 packets transmitted, 1 packets received, 0% packet loss
> round-trip min/avg/max = 7.8/7.8/7.8 ms
>
>
> I can't understad this!
> Some idea?
>
>
> --
> ---------------------------------------
> -   El conocimiento es poder   -
> - y el saber nos hace libres.    -
> ----------------------------------
> netvulcano.wordpress.com
> Linux User #405757
> Machine Linux #310536
>
> ------------------------------------------------------------------------
> This list is sponsored by: Information Assurance Certification Review
> Board
>
> Prove to peers and potential employers without a doubt that you can
> actually do a proper penetration test. IACRB CPT and CEPT certs require a
> full practical examination in order to become certified.
>
> http://www.iacertification.org
> ------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------